Am 2020-03-07 um 11:36 schrieb Hervé BOUTEMY:
Hi,
Yesterday, I made a key step forward for Reproducible Builds with Maven: I
wrote code to easily check that your local build produces the same binaries as
the reference binaries published either to staging or to Central repository.
For a live example, see the last paragraph of Maven Site Plugin vote that just
started [1].
Process to check build output is based on a single plugin goal, currently named
buildinfo:save [2]:
1. it creates a buildinfo file during build recording output fingerprints, that
will eventually in the future be published to Central repository
2. it downloads reference artifacts and/or reference buildinfo and checks that
the output of the local build is the same as the reference.
Now I want to discuss: is it clear? can you test and report, please?
If the feedback is positive, the next question will be: in which plugin should
we put this goal to make a release and add it to our parent pom during release,
so we publish reference buildinfo along our reference binaries to Central
repository.
Made some progress:
[INFO] --- maven-buildinfo-plugin:1.0-SNAPSHOT:save (default-cli) @
maven-site-plugin ---
[INFO] Saved info on build to
/var/osipovmi/Projekte/maven-site-plugin/target/maven-site-plugin-3.9.0.buildinfo
[INFO] Checking against reference build from
https://repository.apache.org/content/repositories/maven-1554/...
[WARNING] Reference buildinfo file not found: it will be generated from
downloaded reference artifacts
[INFO] Minimal buildinfo generated from downloaded artifacts:
/var/osipovmi/Projekte/maven-site-plugin/target/reference/maven-site-plugin-3.9.0.buildinfo
[WARNING] size mismatch maven-site-plugin-3.9.0.jar: diffoscope
target/reference/maven-site-plugin-3.9.0.jar target/maven-site-plugin-3.9.0.jar
[WARNING] size mismatch maven-site-plugin-3.9.0-sources.jar: diffoscope
target/reference/maven-site-plugin-3.9.0-sources.jar
target/maven-site-plugin-3.9.0-sources.jar
[WARNING] size mismatch maven-site-plugin-3.9.0-source-release.zip: diffoscope
target/reference/maven-site-plugin-3.9.0-source-release.zip
target/maven-site-plugin-3.9.0-source-release.zip
[WARNING] Reproducible Build output summary: 0 files ok, 3 different, 0 missing
[WARNING] diff target/reference/maven-site-plugin-3.9.0.buildinfo
target/maven-site-plugin-3.9.0.buildinfo
This is expected because I am on 1.8.0_242. I don't have Java 7
installed anymore on the server.
As note, reproducibility after some time is not always possible if
nessary compilers/tools aren't available anymore -- as you can see.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
